RHEL-159563 CVE-2026-27654 nginx: NGINX: Denial of Service or file modification via buffer overflow in ngx_http_dav_module

Resolves: RHEL-159563 rh-pre-commit.version: 2.3.2 rh-pre-commit.check-secrets: ENABLED
2026-04-14 11:58:22 +02:00 · 2026-04-14 11:58:22 +02:00 · 6f618941b5
commit 6f618941b5
parent 2ec55f3e43
2 changed files with 41 additions and 1 deletions
--- a/0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch
+++ b/0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch
@ -0,0 +1,31 @@
+diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c
+index cfb9892..6bf438a 100644
+--- a/src/http/modules/ngx_http_dav_module.c
+++ b/src/http/modules/ngx_http_dav_module.c
+@@ -548,6 +548,7 @@ ngx_http_dav_copy_move_handler(ngx_http_request_t *r)
+     ngx_ext_rename_file_t     ext;
+     ngx_http_dav_copy_ctx_t   copy;
+     ngx_http_dav_loc_conf_t  *dlcf;
+    ngx_http_core_loc_conf_t  *clcf;
+ 
+     if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) {
+         ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+@@ -644,6 +645,18 @@ destination_done:
+         return NGX_HTTP_CONFLICT;
+     }
+ 
+    clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+    if (clcf->alias
+        && clcf->alias != NGX_MAX_SIZE_T_VALUE
+        && duri.len < clcf->alias)
+    {
+        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                      "client sent invalid \"Destination\" header: \"%V\"",
+                      &dest->value);
+        return NGX_HTTP_BAD_REQUEST;
+    }
+
+     depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH);
+ 
+     if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) {
--- a/nginx.spec
+++ b/nginx.spec
@ -41,7 +41,7 @@
 Name:              nginx
 Epoch:             2
 Version:           1.20.1
-Release:           28%{?dist}
+Release:           29%{?dist}

 Summary:           A high performance web server and reverse proxy server
 # BSD License (two clause)
@ -123,6 +123,11 @@ Patch14:           0014-Clarify-binding-behavior-of-t-option.patch
 # upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e
 Patch15:           0015-Upstream-detect-premature-plain-text-response-from-S.patch

+# https://redhat.atlassian.net/browse/RHEL-159563
+# upstream patch - https://github.com/nginx/nginx/commit/a1d18284e0a17
+# whitespace were removed from the patch
+Patch16:           0016-Dav-destination-length-validation-for-COPY-and-MOVE.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@ -639,6 +644,10 @@ fi


 %changelog
+* Tue Apr 14 2026 Petr Dancak <pdancak@redhat.com> - 2:1.20.1-29
+- Resolves: RHEL-159563 - CVE-2026-27654 nginx: NGINX: Denial of Service
+  or file modification via buffer overflow in ngx_http_dav_module
+
 * Tue Feb 17 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.20.1-28
 - Resolves: RHEL-146528 - CVE-2026-1642 nginx: NGINX: Data injection via
  man-in-the-middle attack on TLS proxied connection